From 6eb423186ec3caf13310e0155789cc17ae45d1db Mon Sep 17 00:00:00 2001
From: Steven Hosking <steven@hosking.com.au>
Date: Tue, 19 Jan 2021 20:53:44 -0800
Subject: [PATCH] added test WHFBAADUser test

---
 README.md                                   |  2 +
 WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1 | 10 ++--
 WHFBCHECKS/public/Test-WHFBAADUser.ps1      | 51 +++++++++++++++++++++
 WHFBCHECKS/public/test-WHFB.ps1             | 17 +++----
 4 files changed, 67 insertions(+), 13 deletions(-)
 create mode 100644 WHFBCHECKS/public/Test-WHFBAADUser.ps1

diff --git a/README.md b/README.md
index 275bc32..b2fa304 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,8 @@ A group of PowerShell scripts to check that your environment is ready for Window
 
 Needs to have the RSAT Active Directory tools enabled.
 The MSOnline module needs to be installed on the computer running the script.
+The WHfBTools Module needs to be installed on the computer running the script.
+The Invoke-CommandAs module needs to be installed on the computer running the script.
 WinRM needs to be enabled on all servers you plan to target, otherwise run locally.
 
 - Get-WHFBADSyncVersion:        This will return the version of AAD Connect that you have installed.
diff --git a/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1 b/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1
index c7c2292..99bb8ab 100644
--- a/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1
+++ b/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1
@@ -4,7 +4,7 @@ function Get-WHFBADSyncNGCSync {
         [Parameter()]
         [string]
         $Computername,
-        [Parameter(Mandatory=$false)]
+        [Parameter(Mandatory = $false)]
         [pscredential]
         $Creds
     )
@@ -19,11 +19,11 @@ function Get-WHFBADSyncNGCSync {
     $MSKeyCredSync = $false
     if ($PSBoundParameters.ContainsKey('Computername')) {
         $MSKeyCredSync = Invoke-CommandAs -ComputerName $Computername -ScriptBlock {
-            (Get-ADSyncRule | Where-Object {$_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false}).count -gt 0
+            (Get-ADSyncRule | Where-Object { $_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false }).count -gt 0
         } -Credential $cred -AsSystem
-    } else
-    {
-        $MSKeyCredSync = (Get-ADSyncRule | Where-Object {$_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false}).count -gt 0
+    }
+    else {
+        $MSKeyCredSync = (Get-ADSyncRule | Where-Object { $_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false }).count -gt 0
     }
     return $MSKeyCredSync
 }
\ No newline at end of file
diff --git a/WHFBCHECKS/public/Test-WHFBAADUser.ps1 b/WHFBCHECKS/public/Test-WHFBAADUser.ps1
new file mode 100644
index 0000000..f9c4fce
--- /dev/null
+++ b/WHFBCHECKS/public/Test-WHFBAADUser.ps1
@@ -0,0 +1,51 @@
+function Ge-WHFBAADUser {
+    param (
+        [string]
+        $UPN,
+        [string]
+        $sAMAccountName,
+        [string]
+        $DomainNetBiosName
+    )
+    if (!(get-module -ListAvailable MSOnline)) {
+        install-module MSOnline -scope CurrentUser
+    }
+    if (!(Get-Module -ListAvailable WHfBTools)) {
+        install-module WHfBTools -Scope CurrentUser
+    }
+    import-module MSOnline
+    $module = Get-Module MSOnline
+    add-type -path "$($module.ModuleBase)\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
+    $AuthSessions = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared.ReadItems()
+    $authed = $false
+    foreach ($AuthSession in $AuthSessions) {
+        if ($AuthSession.clientid -eq "1b730954-1685-4b74-9bfd-dac224a7b894") {
+            if ($AuthSession.expireson -gt (Get-Date)) {
+                $authed = $true
+            }
+        }
+    }
+    if (!$authed) {
+        Connect-MsolService
+        $AuthSessions = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared.ReadItems()
+    }
+    $auths = $AuthSessions | where-object { $_.ClientId -eq "1b730954-1685-4b74-9bfd-dac224a7b894" } | Select-Object -Last 1
+    $authHeader = @{
+        'Content-Type'  = 'application/json'
+        'Authorization' = $($Auths.AccessToken)
+        'ExpiresOn'     = $Auths.ExpiresOn
+    }
+    $gu = (Invoke-WebRequest -Method get -Uri "https://graph.microsoft.com/beta/users/$UPN" -Headers $authHeader -UseBasicParsing).content | ConvertFrom-Json
+    $devices = [System.Collections.ArrayList]::new()
+    if ((get-member -InputObject $gu).name -contains "devicekeys") {
+        foreach ($d in $GU.devicekeys) {
+            $device = Get-MsolDevice -DeviceId $d.deviceid
+            if ($device) {
+                $devices.add($device)
+            }
+        }
+    }
+    $aduser = Get-ADWHfBKeys -Domain $DomainNetBiosName -SamAccountName $sAMAccountName -skipcheckfororphanedkeys
+    Write-Output "ADUser:$($aduser.KeyDeviceID)`n`rKey:$($aduser.KeyMaterial)"
+    write-output "AADUser:$($GU.devicekeys.deviceid)`n`rKey:$($GU.devicekeys.keymaterial)"
+}
\ No newline at end of file
diff --git a/WHFBCHECKS/public/test-WHFB.ps1 b/WHFBCHECKS/public/test-WHFB.ps1
index bdd3068..4319284 100644
--- a/WHFBCHECKS/public/test-WHFB.ps1
+++ b/WHFBCHECKS/public/test-WHFB.ps1
@@ -12,7 +12,7 @@ function Test-WHFB {
         $cred = Get-Credential
     }
     if (!(Get-Module -ListAvailable Invoke-CommandAs)) {
-        Write-Host "Installing Invoke-CommandAs module to ensure PowerShell Remote works for AAD Connect" -ForegroundColor Green
+        Write-FormattedHost -Message "Invoke-CommandAs module not installed, this ensures PowerShell Remote works for AAD Connect" -ResultState Fail -ResultMessage "Installing Invoke-CommandAs now"
         Install-Module Invoke-CommandAs -scope CurrentUser
     }
     #region AD
@@ -114,34 +114,35 @@ function Test-WHFB {
     }
     elseif ($ca.count -eq 1) {
         if ($ca.osver -lt 6.2) {
-            Write-Host "CA $($ca.name) is on an unsupported version of Windows, it needs to be at Windows Server 2012 or higher`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+            Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Fail -ResultMessage "Unsupported" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
         }
         else {
-            Write-Host "CA $($ca.name) is on a supported version of Windows Server" -ForegroundColor Green
+            Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Pass -ResultMessage "Supported"
         }
     }
     elseif ($ca.count -gt 1) {
         foreach ($c in $ca) {
             if ($c.osver -lt 6.2) {
-                Write-Host "CA $($c.name) is on an unsupported version of Windows, it needs to be at Windows Server 2012 or higher`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+                Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Fail -ResultMessage "Unsupported" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
             }
             else {
-                Write-Host "CA $($c.name) is on a supported version of Windows Server" -ForegroundColor Green
+                Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Pass -ResultMessage "Supported"
             }
         }
     }
     $CACertTemplate = Get-WHFBCACertTemplate
     if(!($CACertTemplate)) {
-        Write-Host "CA No KDC Certificate Template found`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+        Write-FormattedHost -Message "CA KDC Certificate Template is:" -ResultState Fail -ResultMessage "Missing" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
     } else {
-        Write-Host "CA KDC Certificate Template named: `"$($CACertTemplate.displayName)`" exists." -ForegroundColor Green
+        Write-FormattedHost -Message "CA KDC Certificate Template is:" -ResultState Pass -ResultMessage $CACertTemplate.displayName
     }
     if ($dccerts.Count -eq 0) {
-        Write-Host "CA no KDC certificates found on the Domain Controllers`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base" -ForegroundColor Red
+        Write-FormattedHost -Message "CA KDC Certificate on Domain Controllers:" -ResultState Fail -ResultMessage "Missing" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base"
     }
     elseif ($DCCerts.count -eq 1) {
         $CertCRLDP = (Get-WHFBCertCRLDP -CertPath $DCCerts.PSPath -Computername $DCCerts.PSComputerName -Creds $cred).DistributionPoints | Where-Object { $_ -like '*http:*' }
         if (!($CertCRLDP)) {
+            
             Write-Host "CA KDC cert on Domain Controller $($DCCerts.PSComputerName) does not include a HTTP CRL`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base#configuring-a-crl-distribution-point-for-an-issuing-certificate-authority" -ForegroundColor Red
         }
         else {